News
KnowBe4 Warns about New Ransomware Hidden in Word Docs
February 2016 by Stu Sjouwerman, CEO, KnowBe4
New “Locky” ransomware is loaded with professional grade malware.
(Clearwater, FL) February 17, 2016 — KnowBe4 Inc, the industry-leading security awareness training and integrated phishing platform, issued a warning to its customers today of a vicious new strain of ransomware disguised within Word documents. This new ransomware strain, somewhat amateurishly called "Locky", is professional grade malware and starts out with an email and a Microsoft Word attachment containing malicious macros, making it hard to filter out. Few antivirus products are catching it. Social engineering is used twice to trick users into opening the attachment and again to enable the macros in the Word file. When the Word document is opened, it looks like the content of the document is scrambled and the document will display a message stating that you should enable the macros if the text is unreadable.
According to KnowBe4’s CEO Stu Sjouwerman, “Once a victim enables the macros, they download an executable from a remote server in the %Temp% folder and execute it. This executable is the Locky ransomware that when started will begin to encrypt the files on your computer and network.”
The email message will contain a subject similar to ATTN: Invoice J-98223146 and a message such as "Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice". This new strain was first reported in the UK by Kevin Baumont, and Larry Abrahms at BleepingComputer did a more in-depth analysis.
According to Abrams, "It targets a large amount of file extensions and even more importantly, encrypts data on unmapped network shares. Encrypting data on unmapped network shares is trivial to code and the fact that we saw the recent DMA Locker with this feature and now in Locky, it is safe to say that it is going to become the norm. Like CryptoWall, Locky also completely changes the filenames for encrypted files to make it more difficult to restore the right data. "
Sjouwerman noted, “The old Office macros from the nineties have not gone away and the bad guys are combining this old technology with clever social engineering. If you trust antivirus software and your users not clicking ‘Enable macros’ you are going to have a problem. You can’t just disable all macros across the whole company because a lot of legacy code relies on macros. Telling all users to sign their macros will also take months.”
KnowBe4 advises the following steps be taken:
“1. Go hunt for this Group Policy Setting in the Trust Center, and set it to “Disable all except digitally signed macros”.
2. Now check out Trusted Locations: User Configuration/Administrative Templates/Microsoft Office XXX 20XX/Application Settings/Security/Trust Center/Trusted Locations
3. Set your shared folder location URL in here, e.g. \blah.local\public\office (More detail can be found at Microsoft Technet.)
4. Now instruct your users to make sure all macros are used from shared folders. Macros should work as before on their regular documents. If Mr. Bad Guy emails Joe in Accounts Payable a Bad File, the macro won’t run.”
The user won’t see a prompt to enable the macro, nor can they from the Office options.
Sjouwerman added “Technically speaking, your users are the new DMZ, and you need to create a human firewall. Effective security awareness training is a must these days.”
